In this episode hosted by Jim Love, 'Cybersecurity Today' celebrates its recognition as number 10 on the Feed Spot list of Canadian News Podcasts and approaches a milestone of 10 million downloads. Key topics include new research identifying Nvidia GPUs as vulnerable to Rowhammer style attacks, Microsoft's significant security improvements in Microsoft 365, a critical Bluetooth vulnerability affecting 350 million cars, and a data exposure incident involving the Fredericton Police. Additionally, the official 'Elmo' account on X was hacked to post offensive content, emphasizing security gaps in high-profile social media accounts. For detailed information, visit technewsday.com or .ca.
00:00 Introduction and Milestones
00:52 Nvidia's Rowhammer Vulnerability
03:39 Microsoft's Security Overhaul
05:45 PerfektBlue Bluetooth Flaw
08:09 Police Data Leak Incident
10:12 Elmo's Twitter Account Hacked
12:43 Conclusion and Thanks
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:01):
Hi, it's Jim here.
I just wanted to let you know thatCybersecurity today has been listed
as number 10 on the Feed Spotlist of Canadian News Podcasts.
Now, that's a real honor In a countrylike this, given the incredible
quality of our competition fromnews production giants like the CBC.
(00:23):
We'll take number 10 as a badge ofhonor, and this couldn't have happened
at a better time because by thisweekend we'll see another number 10.
We will hit 10 million downloads.
If you wanna see the full list of theothers on the list, there's a link on
our show notes@technewsday.ca or.com.
Take your pick.
(00:44):
And thank you to all of youwho've made this possible.
And now back to our regularlyscheduled programming.
Nvidia becomes the first GPU makerto be hit by Rowhammer style attacks.
Microsoft purges high privilegeaccess in Microsoft 365 PerfektBlue
Bluetooth flaw exposes 350 million cars.
(01:07):
Police discover info leaked from a homedevice and Elmo's X account is hacked.
This is Cybersecurity today.
I'm your host, Jim Love.
Nvidia is the first GPU vendorconfirmed to be vulnerable to a
Rowhammer style, bit flip attack.
According to new research out of theUniversity of Toronto, the team has
(01:30):
demonstrated that NVIDIA's GDDR sixbased cards, including high-end models
like the RTXA 6,000 can be exploitedusing a technique they call GPU Hammer.
Now Rowhammer attacks exploit a flawin how memory chips are physically
structured by rapidly and repeatedlyaccessing the same memory rows.
(01:54):
Attackers can cause electricalinterference that flips
bits in adjacent rows.
Until now, this attack vector hadonly proven against system RAM.
The University of Toronto researchshows it can work against graphics
memory too, marking a significantexpansion of the threat surface.
(02:15):
The proof of concept attack is complexand it took the researchers months to
develop, but the implications are serious.
A single bit flip caused by anattack was enough to degrade an
AI model's performance from 80%accuracy to just 0.1% a catastrophic
failure in any critical application.
(02:37):
The attack doesn't require codeexecution on the host system.
It can be triggered simply by sharingthe same GPU in a multi-tenant
environment such as a cloud server.
NVIDIA's response has been torecommend enabling error correcting
code ECC on affected GPUs.
(02:59):
That feature can correct singlebit errors, but comes at a
cost roughly 10% performanceloss and reduced usable memory.
ECC is already standard on newercards like the H 100, but many
widely used GPUs remain exposed.
This marks a turning point.
What was once seen as a DRAM levelthreat is now a GPU level concern,
(03:23):
especially for AI and cloud workloadsthat rely heavily on shared hardware.
The researchers have publisheda detailed paper outlining the
technique, and there is a link inthe show notes@technewsday.com or.ca.
We've been critical of Microsoft whenwe think they deserved it, but it feels
(03:44):
a lot better to be able to say when acompany gets things right and I think
this time Microsoft is on the right track.
Microsoft is quietly removed more than1000 high privileged service connections
inside Microsoft 365, targeting theroot causes of security risk rather than
(04:07):
layering on more patches, the move is partof the company's Secure Future Initiative,
and marks a shift away from reactivefixes towards architectural hardening.
At issue is overprivilegedservice to service access.
In complex cloud environments, internalapps often retain broad unnecessary
(04:29):
permissions, such as the ability toimpersonate users or access entire data
sets across Office Teams and SharePoint.
And these pathways represent high valuetargets if an attacker gains access.
Microsoft's Overhaul replacesthese permissions with a
strict, least privileged model.
(04:51):
This means services are now grantedonly the minimum access required
to function and nothing more.
This reduces the blast radius ofa breach and helps prevent lateral
movement where attackers can useone compromised entry point to
spread through a system or network.
The remediation effort involved over200 engineers and included deprecating
(05:12):
legacy protocols enforcing tighterscopes like sites selected instead
of sites, read all, and implementingongoing monitoring to detect regressions.
Unlike the patch, heavy cyclescommon in commercial software, this
effort tackled design level flaws.
(05:33):
It's the kind of behind the sceneswork that rarely gets attention,
but can make a big and measurabledifference in real world resilience.
Researchers at PCA cybersecurityhave discovered a four bug exploit
chain code named PerfektBlue in thewidely used Blue SDK Bluetooth stack.
(05:57):
These vulnerabilities tracked as CVE20 24 45 4 3 1 through CVE 20 24, 4,
5, 4, 3 4 can be chained together.
To achieve remote code executionwith just a single click, the
user approving a pairing request,
Blue SDK is embedded in roughly350 million vehicles, including
(06:22):
Mercedes-Benz, Volkswagen, Skoda,and possibly Ford, and over 1 billion
devices spanning industrial, medical,mobile, and consumer markets.
Exploitation enables full control ofinfotainment systems, eavesdropping
on interior voices, stealing phonecontacts, GPS, tracking and potentially
(06:43):
planting persistent malware thatspreads beyond the Bluetooth range.
It requires close proximity,five to 10 meters.
Bluetooth pairing has to be active and theuser or system has to approve the device.
Although some vehicles autoapprove or initiate pairing
without ignition, and even
(07:04):
If the ignition isn't on, attackerscould still install malware that
survives and communicates remotely.
Once the vehicle connects tonetworks, . Open synergy, patched
blue SDK in September, 2024, threemonths after disclosure in June.
But updates haven't necessarilyreached all OEMs yet.
(07:24):
Volkswagen is currently investigatingclaiming the complexity of the
prerequisites limit, exploit feasibility,and that critical safety systems like
steering and braking remain insulated.
But PerfektBlue highlights anoften overlooked IoT reality.
A single Bluetooth stack flawcan ripple across millions
(07:44):
of devices and even vehicles.
The mix of user interaction canrequire social engineering, but the
stakes include physical security, datatheft, and persistent malware risk.
OEMs and downstream integratorsmust verify patch deployment and
users should treat Bluetooth pairingrequests with a lot of suspicion
(08:09):
.In Fredericton, the capital of the Canadian Province of New Brunswick.
A police officer has been cleared ofwrongdoing after a personal computer
once used to access law enforcementsystems, was found in a dumpster and
ended up exposing sensitive police data.
The Serious Incident Response TeamSIRT New Brunswick's Civilian Oversight
(08:32):
Agency concluded its investigationlast week, and it found no criminal
intent or breach of trust on thepart of the officer, despite the fact
that case related documents from theFredericton police force were discovered
in the hands of a suspected drugdealer during an unrelated drug probe.
(08:52):
The suspect claimed he recoveredthe device from a dumpster.
Investigators confirmed the desktop waspreviously used by the officer and had
been thrown away by the officer's spouse.
Although the device was not part of thepolice department's official equipment
inventory, it had been used for bothpersonal and work-related tasks.
(09:13):
Cert determined that the officer wasunaware that the computer had been
improperly discarded and had no knowledge.
It had landed in the possession of asuspect, so no charges will be filed.
but while this incident doesn't riseto the level of criminal misconduct, it
highlights a persistent and underdressed.
In law enforcement and in other placeswhere improper disposal of personal or
(09:37):
crossover use devices when hardware usedfor official purposes, whether sanctioned
or not, is thrown out without proper data.
sanitization.
The risk to investigations,confidential sources and public
trust becomes substantial.
The Frederickton Police force hassince updated its internal policies
(09:57):
around device use and disposal, butthe broader issue remains home and
personal technology, if not properlysecured and decommissioned can become
a very effective open back door
On Sunday, the official ex formerlyTwitter account for Elmo was compromised.
(10:19):
The verified account was used tobroadcast a flurry of offensive
content, anti-Semitic slurs, raciststatements, profane insults, aimed at
Donald Trump, and a call for the releaseof Jeffrey Epstein's related files.
Sesame Street quickly confirmedthe breach, condemned the posts,
and said the account had beensecured and control restored.
(10:41):
However, the offensive messagesremained live for about 30 minutes time,
enough for screenshots to go viral.
So outside of the fact thatit's Elmo, why does this matter?
Well, high profile platform vulnerability.
The incident underscores how even belovedverified accounts can become vectors
for hate, speech, and misinformation,especially on platforms like X, which have
(11:05):
faced criticism for weakened moderation,
it also comes on the heels ofextremist content generated by X's ai,
chatbot Grok, which recently postedantisemitic and glorified extremist
rhetoric before it was corrected.
Details of how the account wasaccessed haven't been published.
Common vulnerabilities could includepassword reuse, phishing, brute force
(11:29):
attacks, or compromised third party apps.
But the reality is we don't know, butregardless of the method, the incident
highlights ongoing security gapseven for high profile brand accounts.
This breach illustrates twocritical cybersecurity lessons.
One, strong account security controlsunique complex passwords, hardware
(11:51):
backed multifactor authentication,and frequent review of connected apps.
All of these are essential,especially for high profile accounts
and rapid incident response.
Timely detection, deletion of maliciouscontent and regaining control can
help limit reputational damage,but it can't undo viral spread.
(12:13):
Once screenshots exist.
The Elmo incident is a stark reminder.
No account is safe forbrands and institutions.
Even verified profiles require enterprisegrade security measures, Regular audits,
hardened access controls and fastcontainment protocols aren't optional.
They're essential.
(12:33):
.After all, nobody wants to have their kids come and tell 'em, Hey
look, dad, mom, Sesame Street wassponsored by new letters F and you.
That's our show.
And as we move on to our next 10million downloads, help us tell a
friend, share the podcast with others.
And yeah, we still need yourdonations@technewsday.com or.ca
(12:55):
and click donate and thank you.
And, thank you to everyone for yoursupport and this incredible milestone.
I'm your host, Jim Love.
Thanks for listening.
Hi, it's Jim here.
I just wanted to let you know thatCybersecurity today has been listed
as number 10 on the Feed Spotlist of Canadian News Podcasts.
Now, that's a real honor In a countrylike this, given the incredible
quality of our competition fromnews production giants like the CBC.
(00:23):
We'll take number 10 as a badge ofhonor, and this couldn't have happened
at a better time because by thisweekend we'll see another number 10.
We will hit 10 million downloads.
If you wanna see the full list of theothers on the list, there's a link on
our show notes@technewsday.ca or.com.
Take your pick.
(00:44):
And thank you to all of youwho've made this possible.
And now back to our regularlyscheduled programming.
Nvidia becomes the first GPU makerto be hit by Rowhammer style attacks.
Microsoft purges high privilegeaccess in Microsoft 365 PerfektBlue
Bluetooth flaw exposes 350 million cars.
(01:07):
Police discover info leaked from a homedevice and Elmo's X account is hacked.
This is Cybersecurity today.
I'm your host, Jim Love.
Nvidia is the first GPU vendorconfirmed to be vulnerable to a
Rowhammer style, bit flip attack.
According to new research out of theUniversity of Toronto, the team has
(01:30):
demonstrated that NVIDIA's GDDR sixbased cards, including high-end models
like the RTXA 6,000 can be exploitedusing a technique they call GPU Hammer.
Now Rowhammer attacks exploit a flawin how memory chips are physically
structured by rapidly and repeatedlyaccessing the same memory rows.
(01:54):
Attackers can cause electricalinterference that flips
bits in adjacent rows.
Until now, this attack vector hadonly proven against system RAM.
The University of Toronto researchshows it can work against graphics
memory too, marking a significantexpansion of the threat surface.
(02:15):
The proof of concept attack is complexand it took the researchers months to
develop, but the implications are serious.
A single bit flip caused by anattack was enough to degrade an
AI model's performance from 80%accuracy to just 0.1% a catastrophic
failure in any critical application.
(02:37):
The attack doesn't require codeexecution on the host system.
It can be triggered simply by sharingthe same GPU in a multi-tenant
environment such as a cloud server.
NVIDIA's response has been torecommend enabling error correcting
code ECC on affected GPUs.
(02:59):
That feature can correct singlebit errors, but comes at a
cost roughly 10% performanceloss and reduced usable memory.
ECC is already standard on newercards like the H 100, but many
widely used GPUs remain exposed.
This marks a turning point.
What was once seen as a DRAM levelthreat is now a GPU level concern,
(03:23):
especially for AI and cloud workloadsthat rely heavily on shared hardware.
The researchers have publisheda detailed paper outlining the
technique, and there is a link inthe show notes@technewsday.com or.ca.
We've been critical of Microsoft whenwe think they deserved it, but it feels
(03:44):
a lot better to be able to say when acompany gets things right and I think
this time Microsoft is on the right track.
Microsoft is quietly removed more than1000 high privileged service connections
inside Microsoft 365, targeting theroot causes of security risk rather than
(04:07):
layering on more patches, the move is partof the company's Secure Future Initiative,
and marks a shift away from reactivefixes towards architectural hardening.
At issue is overprivilegedservice to service access.
In complex cloud environments, internalapps often retain broad unnecessary
(04:29):
permissions, such as the ability toimpersonate users or access entire data
sets across Office Teams and SharePoint.
And these pathways represent high valuetargets if an attacker gains access.
Microsoft's Overhaul replacesthese permissions with a
strict, least privileged model.
(04:51):
This means services are now grantedonly the minimum access required
to function and nothing more.
This reduces the blast radius ofa breach and helps prevent lateral
movement where attackers can useone compromised entry point to
spread through a system or network.
The remediation effort involved over200 engineers and included deprecating
(05:12):
legacy protocols enforcing tighterscopes like sites selected instead
of sites, read all, and implementingongoing monitoring to detect regressions.
Unlike the patch, heavy cyclescommon in commercial software, this
effort tackled design level flaws.
(05:33):
It's the kind of behind the sceneswork that rarely gets attention,
but can make a big and measurabledifference in real world resilience.
Researchers at PCA cybersecurityhave discovered a four bug exploit
chain code named PerfektBlue in thewidely used Blue SDK Bluetooth stack.
(05:57):
These vulnerabilities tracked as CVE20 24 45 4 3 1 through CVE 20 24, 4,
5, 4, 3 4 can be chained together.
To achieve remote code executionwith just a single click, the
user approving a pairing request,
Blue SDK is embedded in roughly350 million vehicles, including
(06:22):
Mercedes-Benz, Volkswagen, Skoda,and possibly Ford, and over 1 billion
devices spanning industrial, medical,mobile, and consumer markets.
Exploitation enables full control ofinfotainment systems, eavesdropping
on interior voices, stealing phonecontacts, GPS, tracking and potentially
(06:43):
planting persistent malware thatspreads beyond the Bluetooth range.
It requires close proximity,five to 10 meters.
Bluetooth pairing has to be active and theuser or system has to approve the device.
Although some vehicles autoapprove or initiate pairing
without ignition, and even
(07:04):
If the ignition isn't on, attackerscould still install malware that
survives and communicates remotely.
Once the vehicle connects tonetworks, . Open synergy, patched
blue SDK in September, 2024, threemonths after disclosure in June.
But updates haven't necessarilyreached all OEMs yet.
(07:24):
Volkswagen is currently investigatingclaiming the complexity of the
prerequisites limit, exploit feasibility,and that critical safety systems like
steering and braking remain insulated.
But PerfektBlue highlights anoften overlooked IoT reality.
A single Bluetooth stack flawcan ripple across millions
(07:44):
of devices and even vehicles.
The mix of user interaction canrequire social engineering, but the
stakes include physical security, datatheft, and persistent malware risk.
OEMs and downstream integratorsmust verify patch deployment and
users should treat Bluetooth pairingrequests with a lot of suspicion
(08:09):
.In Fredericton, the capital of the Canadian Province of New Brunswick.
A police officer has been cleared ofwrongdoing after a personal computer
once used to access law enforcementsystems, was found in a dumpster and
ended up exposing sensitive police data.
The Serious Incident Response TeamSIRT New Brunswick's Civilian Oversight
(08:32):
Agency concluded its investigationlast week, and it found no criminal
intent or breach of trust on thepart of the officer, despite the fact
that case related documents from theFredericton police force were discovered
in the hands of a suspected drugdealer during an unrelated drug probe.
(08:52):
The suspect claimed he recoveredthe device from a dumpster.
Investigators confirmed the desktop waspreviously used by the officer and had
been thrown away by the officer's spouse.
Although the device was not part of thepolice department's official equipment
inventory, it had been used for bothpersonal and work-related tasks.
(09:13):
Cert determined that the officer wasunaware that the computer had been
improperly discarded and had no knowledge.
It had landed in the possession of asuspect, so no charges will be filed.
but while this incident doesn't riseto the level of criminal misconduct, it
highlights a persistent and underdressed.
In law enforcement and in other placeswhere improper disposal of personal or
(09:37):
crossover use devices when hardware usedfor official purposes, whether sanctioned
or not, is thrown out without proper data.
sanitization.
The risk to investigations,confidential sources and public
trust becomes substantial.
The Frederickton Police force hassince updated its internal policies
(09:57):
around device use and disposal, butthe broader issue remains home and
personal technology, if not properlysecured and decommissioned can become
a very effective open back door
On Sunday, the official ex formerlyTwitter account for Elmo was compromised.
(10:19):
The verified account was used tobroadcast a flurry of offensive
content, anti-Semitic slurs, raciststatements, profane insults, aimed at
Donald Trump, and a call for the releaseof Jeffrey Epstein's related files.
Sesame Street quickly confirmedthe breach, condemned the posts,
and said the account had beensecured and control restored.
(10:41):
However, the offensive messagesremained live for about 30 minutes time,
enough for screenshots to go viral.
So outside of the fact thatit's Elmo, why does this matter?
Well, high profile platform vulnerability.
The incident underscores how even belovedverified accounts can become vectors
for hate, speech, and misinformation,especially on platforms like X, which have
(11:05):
faced criticism for weakened moderation,
it also comes on the heels ofextremist content generated by X's ai,
chatbot Grok, which recently postedantisemitic and glorified extremist
rhetoric before it was corrected.
Details of how the account wasaccessed haven't been published.
Common vulnerabilities could includepassword reuse, phishing, brute force
(11:29):
attacks, or compromised third party apps.
But the reality is we don't know, butregardless of the method, the incident
highlights ongoing security gapseven for high profile brand accounts.
This breach illustrates twocritical cybersecurity lessons.
One, strong account security controlsunique complex passwords, hardware
(11:51):
backed multifactor authentication,and frequent review of connected apps.
All of these are essential,especially for high profile accounts
and rapid incident response.
Timely detection, deletion of maliciouscontent and regaining control can
help limit reputational damage,but it can't undo viral spread.
(12:13):
Once screenshots exist.
The Elmo incident is a stark reminder.
No account is safe forbrands and institutions.
Even verified profiles require enterprisegrade security measures, Regular audits,
hardened access controls and fastcontainment protocols aren't optional.
They're essential.
(12:33):
.After all, nobody wants to have their kids come and tell 'em, Hey
look, dad, mom, Sesame Street wassponsored by new letters F and you.
That's our show.
And as we move on to our next 10million downloads, help us tell a
friend, share the podcast with others.
And yeah, we still need yourdonations@technewsday.com or.ca
(12:55):
and click donate and thank you.
And, thank you to everyone for yoursupport and this incredible milestone.
I'm your host, Jim Love.
Thanks for listening.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Special Summer Offer: Exclusively on Apple Podcasts, try our Dateline Premium subscription completely free for one month! With Dateline Premium, you get every episode ad-free plus exclusive bonus content.